The interpreter engine for the core JavaScript language, independent of the browser's object model. File ONLY core JavaScript language bugs in this category. For bugs involving browser objects such as "window" and "document", use the "DOM" component. For bugs involving calls between JavaScript and C++, use the "XPConnect" component.

Created attachment 657721[details][diff][review]
testcase
As far as I can tell, the missing property IC code doesn't check if there's a proxy on the prototype chain. This means that there could be a scripted proxy that claims not to have a property, but then later claims to have it. The methodjit will mistakenly act as if the property is always absent.
The attached testcase works with no command line options but fails with -m -n -a.
Just noticed this will working on the dynamic proto stuff. I'll work on a patch tomorrow.

Note that the global in the DOM will end up with a proxy on its proto chain at some point as we implement WebIDL. Will that cause unacceptable performance problems? Or is the missing property thing rare for the global anyway?

(In reply to Boris Zbarsky (:bz) from comment #6)
> Luke, Bill, I'd really like to find out what the state of comment 2 is. If
> I need to change implementation plans for the Window object, it would be
> good to know while still planning...
It seems sort of unlikely to me that we'll see real-world situations where there are a lot of property accesses to properties that don't exist for objects with proxies on the proto chain. However, it is possible. If that happens, we can add a special case for your special kind of proxy so that it can still use the missing prop IC. Either way, I don't think you have to worry.

I couldn't reproduce this neither on Win 7 64-bit, nor on Ubuntu 12.04 32-bit.
I used for this the builds from:
ftp://ftp.mozilla.org/pub/firefox/nightly/2012/09/2012-09-02-mozilla-central-debug/ (jsshell-linux-i686.zip for Ubuntu and jsshell-win32.zip for Windows), but I received errors in both cases.
Reporter, could you please give me more details on how should I procede in order to reproduce this bug?
A changeset from when the bug is reproducible would be very useful.